TOPICS:

EVENT ANGLE:

Premium Research

You can't buy a hybrid cloud as a product nor as a service, and even if you could you would need to customise it for your unique requirements and constraints. The reality today is you need to buy the ingredients from a supplier then roll your own hybrid cloud and to manage this you need to put in place a Hybrid Cloud Manifesto.

The SPC-2 benchmark is a useful benchmark for bandwidth intensive sequential workloads, such as backup, ETL (extraction, translate, load) and large-scale analytics. Wikibon does a deep comparative analysis of the SPC-2 results, time-adjusting the pricing information to correct for different publication dates. Wikibon then analyses performance and price-performance together, and develops a guide to enable practitioners to understand the business options and best strategic fit. Wikibon concludes the Oracle ZS4-4 storage appliance dominates this high-bandwidth processing as of the best combination of good performance and great price performance at the high-end and mid-range of this market.

The thesis of the overall Wikibon research in this area is that within 2 years, the majority of IT installations will be moving to combine workloads together to share data using NAND flash as the only active storage media. This will save on IT budget and improve IT productivity, especially in the IT development function. Our research shows that these changes have the potential to reduce the typical IT budget by 34% over a five year period while delivering the same functionality to the business. The projected IT savings of moving to a shared-data all-flash datacenter for an organization with a $40M IT budget are $38M over 5 years, with an IRR of 246%, an annual ROI of 542%, and a breakeven of 13 months. Future research will look at the potential to maximize the contribution of IT to the business, and will conclude that IT budgets should increase to deliver historic improvements in internal productivity and increased business potential.

The Public Cloud market is still forming – but seems to be poised to soon enter the Early Majority stage of its development where user behavior, preferences, and strategies become more stable. Large enterprises are more discerning of Public Cloud IaaS offerings. Test and development appears to be a key entry point for them since scale, operational complexity, and security/compliance/regulatory demands require a more nuanced approach to Public Cloud for IaaS. Small and Medium enterprises have the greatest need for Public Cloud and should consider well-established, lower risk entry points to Public Cloud like SaaS, Email, and Web Applications before venturing into Mission Critical and IaaS workloads to help them navigate an increasingly complex and costly IT infrastructure environment.

At the Passwords^12 Conference in Oslo, Norway researcher Jeremi Gosney presented an extremely powerful password cracking rig that wields a spectacularly heavy 25 GPUs in order to quickly chew through cryptographic hashes and extract the passwords that they hide. The slides are available online [PDF] and in his demo he showed how the rig could use OpenCL and VCL to run Hashcat—a password cracking program—across a cluster to burn down Windows XP passwords in less than six minutes.

To be pointed, the 25 GPU rig is designed as a highly parallel cluster for hash cracking:

In a test, the researcher’s system was able to churn through 348 billion NTLM password hashes per second. That renders even the most secure password vulnerable to compute-intensive brute force and wordlist (or dictionary) attacks. A 14 character Windows XP password hashed using LM NTLM (NT Lan Manager), for example, would fall in just six minutes, said Per Thorsheim, organizer of the Passwords^12 Conference.

It’s exactly this sort of set up that people might expect to be used by hackers who have successfully penetrated a website and stolen the user credentials; but it would not be useful for cracking the passwords of users on an online service. This device would be used to attack a pile of cryptographically hashed passwords captured from a website in order to get the passwords stored within. I have discussed hashes and why they’re important in previous articles about leaks.

In security terms, cryptographic hashing of passwords isn’t a panacea to make users’ passwords uncrackable, it exists to slow down the bad guys so that once the password loss is discovered that it gives IT processionals (and users) time to change their passwords and do damage control.

However, with the advances with rigs such as Gosney’s GPU cluster that time is shortening.

As a result, popular and consumer level cryptographic hash algorithms need to keep up with the computing power capable of cracking them. In fact, recently Poul-Henning Kamp, creator of the md5crypt() function used by FreeBSD, acknowledged that the production level hashing function wouldn’t be long for this world as it could be quickly cracked by something like the Gosney GPU rig.

“As the author of md5crypt, I implore everybody to migrate to a stronger password scrambler without undue delay,” Kamp wrote in June. At the same time, he bowed out of the Red Queen race and urged people to use stronger (and if they could, unique-to-them) algorithms to help protect their users.

To this day, cryptographic hashing is still the industry standard for increasing the damage control time in the case of password leaks. As this is indeed a Red Queen race with cracking technology, it’s necessary to move into bigger and badder complexity in order to lengthen that time once again as governments and criminal enterprises also upgrade their equipment to lengthen their own window of opportunity.

About Kyt Dotson

Kyt Dotson is a Senior Editor at SiliconAngle and works to cover beats surrounding DevOps, security, gaming, and cutting edge technology. Before joining SiliconAngle, Kyt worked as a software engineer starting at Motorola in Q&A to eventually settle at Pets911.com where he helped build a vast database for pet adoption and a lost and found system. Kyt is a published author who writes science fiction and fantasy works that incorporate ideas from modern-day technological innovation and explore the outcome of living with those technologies.